Thousands Exposed in Municipal Website Breaches

Earlier this month, news broke that Wellington, Fla., had sensitive payment information stolen through a billing vendor. Now, it appears the city was not alone.

by Kristina Webb, The Palm Beach Post
/
June 25, 2018

Shutterstock

(TNS) — Tammy Avella can’t be blamed for hoping the email saying her credit card number had been stolen was a mistake.

She’s aware of the risks of doing business online, but the Wellington resident had been through the same routine just three weeks before: Bank of America detected fraudulent purchases, and Avella shut down the card and started anew.

RELATED

While thousands of Wellington customers across six departments may have been affected by the breach, similar Click2Gov breaches across the United States potentially exposed tens of thousands of other customers of local governments in states including California, Texas, Arizona and Wisconsin, a Palm Beach Post review of local government records revealed.

No, Wellington is not alone. And officials who spoke with The Post had the same message: The problem went on for too long, and with little communication from Lake Mary-based Superion.

The breaches have led some cybersecurity experts to ask questions: How safe are local government websites? And who is responsible for the Click2Gov breaches?

Wellington breach

Wellington’s breach was detected by Superion about the time Avella received her email aboard Norwegian Cruise Line’s Getaway. Before leaving for vacation, she did what most homeowners do — paid her bills, making sure the water and lights stayed on.

The email from Bank of America said her card had been used to pay $338 to a fuel injection business in Pensacola, she said. The bank then told her someone tried to make a purchase on Nike’s website, but that was declined. The charges may have slipped under the radar except for one factor: “The reason they caught it was because I put a travel notice on,” Avella said.

Superion notified Wellington on June 6 that its Click2Gov server could be compromised. Within an hour of that notification, Wellington shut down its online payment system, chief information officer William Silliman said.

He and his team began working with a third-party forensic company, The Sylint Group, to investigate the breach and mitigate any possible effects. Sylint was able to narrow the window of Wellington’s breach: The utilities department was breached Nov. 28. A breach was detected in Wellington’s building, business license, code, parking ticket and planning departments on March 30. Sylint said the window closed June 4, Silliman said. The village was notified two days later and alerted customers June 7.

Only one-time credit or debit card payments were exposed in the breach, the village said. Online payments made using checks or set to automatically charge, as well as phone and in-person payments were not affected.

About 26 hours after Silliman shut down the server, Wellington had a new one ready to process payments. Silliman’s team added layer upon layer of extra security, until he felt comfortable accepting payments again.

But not all governments hit by Click2Gov breaches have taken that route.

Stay or go?

In Ormond Beach, officials already planned to switch to a new payment processing vendor before a customer called in September to report a fraudulent charge on her credit card that was made after she paid her utility bill, information technology director Ned Huhta said.

The city had been with Superion since 1988, and officials felt it was time for a change. “It’s been a good run, but they just haven’t been as nimble as some of the other vendors,” he said.

Officials chose Tyler Technologies — the same vendor Wellington selected last year when it decided to change bill-pay vendors as well. While Ormond Beach is closer to completing its transition to Tyler, Wellington kicked off a three-year migration process Jan. 1.

The customer who raised a red flag for Ormond Beach was one of about 250 utilities customers hit by what that city still calls “a potential breach,” having found no “smoking gun” to point to an actual hack, Huhta said.

How we got the story

Palm Beach Post reporter Kristina Webb received a tip from a reader on June 7, the day Wellington announced its potential breach, to look for a pattern of Superion Click2Gov incidents. Hours of research led her to find public records of potential breaches in Arizona, Wisconsin, Texas and California, as well as Florida. As patterns formed, they led her to the breach in Okaloosa County, previously not reported as a Click2Gov incident.

While Sylint was able to find evidence on Wellington’s server that a hacker had placed what amounts to a digital credit card skimmer on top of the Click2Gov code, there was no similar evidence in Ormond Beach.

Still, Huhta said, “It was obvious that there was something going on.” The potential breach happened between Aug. 14 and Oct. 4, he said. As with Wellington, only one-time credit and debit card payments were affected.

Since the incident, Ormond Beach has moved to a Superion-hosted server — an additional $18,000 a year, but worth the expense for security, Huhta said. “It’s kind of well worth shifting that burden to them,” he said.

Okaloosa County went in the opposite direction after experiencing a breach between December and March. Instead of beefing up its security or moving to a Superion-hosted server, it left Superion altogether, deputy county administrator Greg Kisela said.

It took about two months for the county to decide to make the switch and then select a new vendor: Selectron Technologies, the same payment vendor used by Delray Beach.

Until Selectron is operational, Okaloosa County’s water and sewer customers can’t make online payments. “Which as you can imagine is a major inconvenience,” Kisela said.

Another local breach

City spokesman Ben Kerr confirmed the breach hit customers “throughout 2017.” A February email sent to online customers narrowed the window to April 3, 2017, to Jan. 22, making it one of the longer breaches found by The Post.

Lake Worth and Wellington are two of several Palm Beach County municipalities that use Click2Gov.

Boynton Beach uses a Superion-hosted server for its payment processing. Boca Raton also uses the software, but a spokeswoman told The Post the city “had applied all of the security patches and a Hotfix supplied by the vendor.”

Wellington’s Silliman suggested that governments using the system for payment processing contact Superion to double and triple check their security. “If you’ve got Click2Gov, get it in writing,” he said. “Know you’re on the latest and greatest patches.”

'The playground'

While any software is vulnerable to hacking, officials say government entities including cities and school districts seem especially susceptible.

It could be a money issue, but Silliman said it’s more about taking time to build the layers of protection necessary to deter would-be thieves.

“I know that I am the playground for these kiddie hackers,” he said. The village gets hit by “all kinds of attacks on all levels,” he added, but rarely do those attacks penetrate what Silliman calls “tripwires.”

Since the breach, Wellington is adding more security across all its systems, he said.

What to do

Have you been affected by a data breach? Wellington recommends following these steps:

• Request a fraud alert on your credit file. This will tell creditors to contact you before opening new accounts or changing existing accounts.

• Request credit reports be sent to you, free of charge, for your review. Even if you do not find any suspicious activity on your credit reports, the Federal Trade Commission recommends that you check your credit reports periodically. Equifax: Equifax.com or 800-525-6285; Experian: Experian.com or 888-397-3742; TransUnion: Transunion.com or 800-680-7289.

The number and frequency of cyberattacks poses a challenge for all organizations, according to the Department of Homeland Security.

“As technology brings us conveniences and efficiencies we haven’t seen before, it also opens us up to new risks, including the possibility of exposing Americans’ personal or financial information,” a DHS official said. “State and local governments are on the frontlines of protecting this information, and we work with them every day to help secure their networks and infrastructure against malicious activity and vulnerabilities.”

Ormond Beach’s Huhta said that while he doesn’t feel local governments are more inclined to get hit by hackers, it winds up even worse than when large businesses are affected. “When it does happen, it’s especially bad because it does tend to erode people’s trust,” he said. “But we’re just as susceptible as anyone else.”

Related breaches

Lake Worth’s breach is the earliest of those found by The Post. At least 10 local governments have been hit recently:

• Lake Worth: April 3, 2017 to Jan. 22

• Goodyear, Ariz.: June 13, 2017 to May 5

• Oceanside, Calif.: July 1 t0 Aug. 13, 2017

• Beaumont, Texas: Aug. 1-24, 2017

• Ormond Beach: Aug. 14 to Oct. 4, 2017

• Fond du Lac, Wis.: August to October, 2017

• Wellington: Nov. 28, 2017 to June 4

• Okaloosa County: December 2017 to March

• Thousand Oaks, Calif.: Jan. 4-10

• Oxnard, Calif.: March 26 to May 29, 2017

And there could be more. Once directed to The Sylint Group by Superion, Wellington’s Silliman said he asked the company how many other Click2Gov breaches it had consulted on. While Sylint would not provide an exact number, they agreed to “more than 10,” Silliman said.

Ormond Beach, Okaloosa County and Wellington said they were contacted by Superion and told to install patches to the server before the breaches were found.

“What we’ve seen so far with Superion and Click2Gov is what looks like a pattern of multiple vulnerabilities not being comprehensively corrected,” she said. “They knew there were problems with the system.”

In Wellington’s case, Sylint’s forensic team found that the code used to snag credit card numbers was written specifically for Click2Gov, Silliman said. “That is a giant red flag,” Goddijn said.

Complicating the process of finding related breaches: Many governments do not list Click2Gov as their vendor when releasing information about data breaches. “It makes it harder for organizations to know if they’re at risk using a vendor’s product,” she said.

Proactive enough?

While several officials who spoke with The Post questioned Superion’s response to the breaches, the company placed the responsibility on local governments that host their own Click2Gov servers.

“To date, Superion has deployed the necessary patch to our software and a related third-party component, and over 99 percent of these customers have applied these patches,” Superion spokeswoman Carol Matthieu said in an email. “At this time, we have no evidence showing that it is unsafe to make payments utilizing Click2Gov on hosted or secure on-premise networks with recommended patches and configurations. Superion does not control our customers’ networks, so we recommend citizens contact their municipality or county if they have any questions related to security.

“It is important to note that these security issues have taken place only in locally hosted on-premise networks in certain towns and cities,” she continued. “Not a single client in Superion’s data centers or in the Superion Cloud has faced these issues, even when they are using the same software product. We at Superion are committed to combating these attacks on local government systems by offering cloud-based secure environments that protect data for local governments facing an increasing number of cyber-security threats.”

“I was really mad about that,” he said. With at least four breaches before his city’s, Huhta said more should have been done to protect all of Superion’s clients, not just those who pay extra to have their servers hosted through the company.

“It should have been solved well before me,” he said.

Moving forward

Little legal recourse is available for customers when credit card information is exposed as part of a data breach, said Christopher Hopkins, a Palm Beach County attorney who specializes in cybersecurity and internet law.

And seemingly no company is immune from hackers. Even credit-monitoring service Equifax was hit last year, with the private information of 143 million customers exposed, according to reports. Other large corporations including Orbitz, Target, Facebook and Arby’s have reported breaches.

While Click2Gov continues to be used by hundreds of local governments for everything from payment processing to permit applications, the company plans to move its technology so it redirects to outside payment processors, spokeswoman Matthieu said. “Superion software will not manage credit cards directly,” she said.

Wellington and other governments hit by the Click2Gov breach advise their customers to contact their banks, place fraud alerts on accounts and sign up for free credit monitoring.

But Wellington resident Avella would like to see something more — from Superion.

“They should be held accountable,” she said. “They knew about it and clearly they didn’t fix it.”

With many educational organizations shifting their entire schedules to distance learning tools or full virtual environments indefinitely, never has the statement “we are all in this together” been more poignant.